ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why people by NATs

2004-11-30 17:22:23
from [Stephen Sprunk] [Permanent Link] 
Thus spake "Iljitsch van Beijnum" <iljitsch(_at_)muada(_dot_)com>
Actually in IPv6 you are well-protected against random scanning withough the need for any device in the middle: a /64 subnet is so large, that scanning it is completely infeasible.
Now of course someone who knows your address doesn't have to scan, so this protection isn't complete. But for TCP it's entirely trivial to only allow sessions to be set up in one direction. Full stateful firewalling is of course also possible. However, both these options bring back some of the downsides of NAT: in order to make incoming sessions possible, there must be configuration of some sort.
IMHO a firewall function, probably stateful, is necessary in nearly all cases. However, this has gotten so mixed up with NAT that many people (even at vendors) don't realize they're different things.
With v6 we have the ability to fix this; through some magic function, users should be able to get a PA (at a minimum) subnet behind their local router/modem/whatever and have a decent interface to configure inbound filters, similar to how they can configure evil NAT port-forwarding today.
A default filter that rejects packets for services that are generally intended for local use only would probably be good enough for a residential IPv6 router. Other services are either not enabled and/or firewalled in the host anyway, or the user actually wants them to work.
(It would be incredible helpful to have all these local-use services in a fixed range of port numbers for easy filtering...)
Default filters are a pain, because inevitably they end up blocking something that's useless today but a critical need tomorrow... For instance, my @#%#^& Linksys not only doesn't understand native IPv6 (hello, wake up Cisco!) but it even blocks IP-in-IP packets so I can't use an IPv6 tunnel.
At a minimum, vendors should document _everything_ the default filter does and allow the user to disable it if necessary. You don't need to load the gun for them, but if someone wants to shoot themselves in the foot, it's not your duty to prevent them, because they might have a perfectly good reason to. 

S

Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking 

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: AdminRest: IASA BCP: do we need dedicated IASA (bank) accounts, JFC (Jefsey) Morfin
Next by Date:  Re: The gaps that NAT is filling, Stephen Sprunk
Previous by Thread:  Re: Why people by NATs, Iljitsch van Beijnum
Next by Thread:  Re: Why people by NATs, Daniel Senie
Indexes:  [Date] [Thread] [Top] [All Lists]